Hello,
i am setting up a remote access vpn to users, we can access the inside network, this is fine, but clients cannot browse the internet. We want the internet browsing to go via the PIX and NOT via split tunneling, i have pasted the current config below, if someone could help me that would be excellent!
The group policy is retna-ras-vpn
no asdm history enable
: Saved
:
ASA Version 7.0(5)
!
hostname retna-fw
domain-name retna.com
enable password 3fOs.5cZZ/WXswXb encrypted
names
dns-guard
!
interface Ethernet0/0
description [TO-BT-CIRCUIT]
speed 100
duplex full
nameif outside
security-level 0
ip address xxxxxxxxxx 255.255.255.224
!
interface Ethernet0/1
description [TO-LAN]
speed 100
duplex full
nameif inside
security-level 100
ip address 172.100.200.254 255.255.255.0
!
interface Ethernet0/2
description [TO-ACCOUNTS]
speed 100
duplex full
nameif Accounts
security-level 100
ip address 172.100.100.254 255.255.255.0
!
interface Ethernet0/3
description [TO-WIRELESS]
speed 100
duplex full
nameif wireless
security-level 100
ip address 172.100.150.254 255.255.255.0
!
interface Management0/0
description [DMZ]
speed 100
duplex full
nameif DMZ
security-level 50
ip address xxxxxxxxxx 255.255.255.240
!
passwd yyVrg2mh8zIi/QM1 encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object-group service tcp-ports-allowed tcp
description tcp-ports-allowed
port-object eq 5900
port-object eq 3283
port-object eq ssh
port-object eq 625
port-object eq 311
port-object eq domain
object-group service udp-ports-allowed udp
description udp-ports-allowed
port-object eq 5900
port-object eq 3283
port-object eq 625
port-object eq 311
port-object eq domain
object-group service vpn-protocols tcp
description vpn-protocols
port-object eq 47
port-object eq pptp
object-group service dmz-tcp-allowed-test tcp
description dmz-tcp-allowed-test
port-object eq 5900
port-object eq 3283
port-object eq 625
port-object eq 311
port-object eq ssh
object-group service dmz-udp-allowed-test udp
description dmz-udp-allowed-test
port-object eq 5900
port-object eq 3283
port-object eq 625
port-object eq 311
object-group service ftp tcp
description tp
port-object eq ftp-data
port-object eq ftp
port-object range 55535 65535
object-group service dmz-inside tcp
description dmz-inside
port-object eq ftp
port-object eq ssh
port-object eq ftp-data
port-object eq 445
port-object eq www
port-object eq pop3
port-object eq https
port-object eq imap4
object-group service vpn-test tcp
description vpn-test
port-object eq 47
port-object eq pptp
object-group service mail-and-web-access tcp
description mail-and-web-access
port-object eq www
object-group service tcp-group-83.244.174.180 tcp
description tcp-group-83.244.174.180
port-object eq www
port-object eq ftp-data
port-object eq ftp
port-object eq pop3
port-object eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark inside-dmz
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark DNS
access-list outside_access_in extended permit udp any host 83.244.174.178 eq domain
access-list outside_access_in remark DNS
access-list outside_access_in extended permit udp any host 83.244.174.180 eq domain
access-list outside_access_in remark DNS
access-list outside_access_in extended permit tcp any host 83.244.174.178 eq domain
access-list outside_access_in remark 80
access-list outside_access_in extended permit tcp any host 83.244.174.178 eq www
access-list outside_access_in remark ftp
access-list outside_access_in extended permit tcp any host 83.244.174.178 object-group ftp
access-list outside_access_in remark smtp
access-list outside_access_in extended permit tcp any host 83.244.174.178 eq smtp
access-list outside_access_in remark dmz-tcp-allowed-test
access-list outside_access_in extended permit tcp host 87.74.17.197 host 83.244.174.178 object-group dmz-tcp-allowed-test
access-list outside_access_in remark dmz-udp-allowed-test
access-list outside_access_in extended permit udp host 87.74.17.197 host 83.244.174.178 object-group dmz-udp-allowed-test
access-list outside_access_in extended permit icmp any host 83.244.174.178
access-list outside_access_in remark dmz-tcp-allowed-test
access-list outside_access_in extended permit tcp host 87.194.72.46 host 83.244.174.178 object-group dmz-tcp-allowed-test
access-list outside_access_in remark dmz-udp-allowed-test
access-list outside_access_in extended permit udp host 87.194.72.46 host 83.244.174.178 object-group dmz-udp-allowed-test
access-list outside_access_in remark vpn-test
access-list outside_access_in extended permit tcp any interface outside object-group vpn-test log debugging
access-list outside_access_in extended permit tcp any host 83.244.174.178 eq pop3
access-list outside_access_in remark tcp-allowed- to 83.244.174.180
access-list outside_access_in extended permit tcp any host 83.244.174.180 object-group tcp-group-83.244.174.180
access-list DMZ_access_in extended permit ip 83.244.174.176 255.255.255.240 any
access-list DMZ_access_in remark smtp allowed outside
access-list DMZ_access_in extended permit tcp host 83.244.174.178 any eq smtp
access-list DMZ_access_in remark dmz to inside
access-list DMZ_access_in extended permit tcp any 172.100.200.0 255.255.255.0
access-list DMZ_access_in remark dmz to inside
access-list DMZ_access_in extended permit udp any 172.100.200.0 255.255.255.0 eq domain
access-list DMZ_access_in extended permit icmp 83.244.174.176 255.255.255.240 any
access-list inside_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip interface inside 10.0.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 10.0.0.0 255.255.255.0
access-list Accounts_nat0_outbound extended permit ip interface Accounts 10.0.1.0 255.255.255.0
access-list wireless_nat0_outbound extended permit ip interface wireless 10.0.1.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip interface DMZ 10.0.1.0 255.255.255.0
access-list 10 remark allow any ip to vpn users
access-list 10 extended permit ip any any inactive
!
snmp-map cU5t0m3r5@exp
deny version 2c
!
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Accounts 1500
mtu wireless 1500
mtu DMZ 1500
ip local pool retna-ras-vpn-pool 10.0.0.1-10.0.0.254 mask 255.255.255.0
ip local pool retna-vpn-test-pool 10.0.1.1-10.0.1.250 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface Accounts
monitor-interface wireless
monitor-interface DMZ
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 172.100.200.0 255.255.255.0
nat (Accounts) 0 access-list Accounts_nat0_outbound
nat (wireless) 0 access-list wireless_nat0_outbound
nat (DMZ) 0 access-list DMZ_nat0_outbound
static (DMZ,outside) 83.244.174.176 83.244.174.176 netmask 255.255.255.240
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 83.244.173.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server RADIUS (outside) host 62.244.177.13
retry-interval 1
key s3cur1t135//
authentication-port 8812
accounting-port 8813
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
disable
user-authentication disable
user-authentication-idle-t
imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy retna-ras-vpn internal
group-policy retna-ras-vpn attributes
dns-server value 83.244.174.178 83.244.174.179
webvpn
username debbie password bkQD.xYC5s/FURks encrypted privilege 0
username debbie attributes
vpn-group-policy retna-ras-vpn
webvpn
username rahad password faI7bc6Tid26kdhV encrypted privilege 0
username rahad attributes
vpn-group-policy retna-ras-vpn
webvpn
username admin password OhPv6tbNhyr8D9oD encrypted privilege 15
username graham password b9AzX5rSahQhtEe8 encrypted privilege 0
username graham attributes
vpn-group-policy retna-ras-vpn
webvpn
username steve password neQL6K.TPO2CWQAU encrypted privilege 0
username steve attributes
vpn-group-policy retna-ras-vpn
webvpn
username rk295 password ldIdcaNsor2US4He encrypted privilege 0
username rk295 attributes
vpn-group-policy retna-ras-vpn
webvpn
username syed password QKXhiFYyWZRrVbId encrypted privilege 15
username robby password oX2ad0PZ3l8SCrtN encrypted privilege 0
username robby attributes
vpn-group-policy retna-ras-vpn
webvpn
aaa authentication enable console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
http server enable
snmp-server host outside 62.244.177.38 poll community cU5t0m3r5@exp version 2c
no snmp-server location
no snmp-server contact
snmp-server community cU5t0m3r5@exp
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
isakmp enable outside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
tunnel-group retna-ras-vpn type ipsec-ra
tunnel-group retna-ras-vpn general-attributes
address-pool retna-ras-vpn-pool
default-group-policy retna-ras-vpn
tunnel-group retna-ras-vpn ipsec-attributes
pre-shared-key *
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect h323 ras
inspect sqlnet
inspect xdmcp
inspect tftp
inspect rtsp
inspect netbios
inspect sip
inspect pptp
inspect http
inspect rsh
inspect ftp
inspect h323 h225
inspect dns
inspect skinny
!
service-policy global-policy global
webvpn
authorization-server-group
LOCAL
Cryptochecksum:3d8e6ec5487
07930ae9e3
168749703b
0
: end
